Bitrix24 is a customer relationship management (CRM) platform that allows companies to capture sales data, personalize communication, and track key interactions with clients and prospects in one central location.
While CRMs can help streamline business operations and enhance performance, covered entities should always be taking HIPAA compliance into consideration. Let’s explore if Bitrix24 meets these critical security standards.
SEE ALSO: HIPAA compliant email
Bitrix24 and business associate agreements
A third-party vendor that stores, accesses, or sends protected health information (PHI) is considered a business associate. When a covered entity works with a business associate, a business associate agreement (BAA) must be signed by both parties. This is a document that outlines the obligations of the business associate to keep PHI secure.
Without a signed BAA, the vendor cannot be considered HIPAA compliant. In this particular instance, Bitrix24 is considered a business associate for a healthcare organization if it manages PHI within its platform. Bitrix24’s website mentions HIPAA in relation to using Amazon Web Services (AWS) to securely host data, but there is no information on the company’s willingness to sign a BAA.
Bitrix24 and data security
In addition to the BAA, data security is another important piece of maintaining HIPAA compliance. This means covered entities should review the specific safeguards that a vendor has in place to protect PHI. According to the company’s security page, Bitrix24 takes a number of steps to protect customer data. These include isolating user access at the database and cloud storage levels, backing up information on a daily basis, carrying out data transfers through an SSL-encrypted connection, using a web application firewall, and providing one-time codes for two-step authorization.
However, the company’s Terms of Service states that customers are “solely responsible for maintaining the confidentiality of user accounts” and “Bitrix24 is not liable for any harm caused or related to theft or misappropriation of the user account and content.” It is therefore up to the customer to secure information by “installing anti-virus software, updating applications, and preventing third-party access.”
Is Bitrix24 HIPAA compliant?
A BAA is required for full HIPAA compliance and we could find no indication that Bitrix24 will sign one.
Conclusion: Bitrix24 may not be HIPAA compliant.
Increase your protection
Choosing HIPAA compliant software is a good place to start, but healthcare providers should be taking proactive action to safeguard PHI with stronger email security. Built to conveniently integrate with your current email platform such as Google Workspace or Microsoft 365, Paubox Email Suite enables HIPAA compliant email by default and automatically encrypts every outbound message.
This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages directly in their inbox without having to navigate any additional passwords or portals. Paubox Email Suite’s Plus and Premium plan levels are also equipped with advanced inbound email security tools that deliver further protection from potential threats.
Our patent-pending Zero Trust Email feature uses email AI to verify that an email is legitimate, while patented ExecProtect quickly puts a stop to display name spoofing attempts.
Subscribe to Paubox Weekly
Every Friday we'll bring you the most important news from Paubox. Our aim is to make you smarter, faster.